From 7aae46f952cb7b9614e3a0172ed3f0ad9a30f3a4 Mon Sep 17 00:00:00 2001 From: mykolalosev Date: Thu, 19 Jan 2023 14:07:48 +0200 Subject: [PATCH] issue-96 --- .../v1beta1/zz_attestor_types.go | 210 ++++++ .../v1beta1/zz_generated.deepcopy.go | 634 ++++++++++++++++++ .../v1beta1/zz_generated.managed.go | 152 +++++ .../v1beta1/zz_generated.managedlist.go | 38 ++ .../v1beta1/zz_generated.resolvers.go | 55 ++ .../v1beta1/zz_generated_terraformed.go | 174 +++++ .../v1beta1/zz_groupversion_info.go | 44 ++ .../v1beta1/zz_policy_types.go | 192 ++++++ apis/zz_register.go | 2 + config/externalname.go | 7 + config/externalnamenottested.go | 4 - .../binaryauthorization/attestor.yaml | 50 ++ .../binaryauthorization/policy.yaml | 57 ++ examples/binaryauthorization/attestor.yaml | 47 ++ examples/binaryauthorization/policy.yaml | 54 ++ .../attestor/zz_controller.go | 64 ++ .../policy/zz_controller.go | 64 ++ internal/controller/zz_setup.go | 8 +- ...uthorization.gcp.upbound.io_attestors.yaml | 480 +++++++++++++ ...authorization.gcp.upbound.io_policies.yaml | 400 +++++++++++ 20 files changed, 2730 insertions(+), 6 deletions(-) create mode 100755 apis/binaryauthorization/v1beta1/zz_attestor_types.go create mode 100644 apis/binaryauthorization/v1beta1/zz_generated.deepcopy.go create mode 100644 apis/binaryauthorization/v1beta1/zz_generated.managed.go create mode 100644 apis/binaryauthorization/v1beta1/zz_generated.managedlist.go create mode 100644 apis/binaryauthorization/v1beta1/zz_generated.resolvers.go create mode 100755 apis/binaryauthorization/v1beta1/zz_generated_terraformed.go create mode 100755 apis/binaryauthorization/v1beta1/zz_groupversion_info.go create mode 100755 apis/binaryauthorization/v1beta1/zz_policy_types.go create mode 100644 examples-generated/binaryauthorization/attestor.yaml create mode 100644 examples-generated/binaryauthorization/policy.yaml create mode 100644 examples/binaryauthorization/attestor.yaml create mode 100644 examples/binaryauthorization/policy.yaml create mode 100755 internal/controller/binaryauthorization/attestor/zz_controller.go create mode 100755 internal/controller/binaryauthorization/policy/zz_controller.go create mode 100644 package/crds/binaryauthorization.gcp.upbound.io_attestors.yaml create mode 100644 package/crds/binaryauthorization.gcp.upbound.io_policies.yaml diff --git a/apis/binaryauthorization/v1beta1/zz_attestor_types.go b/apis/binaryauthorization/v1beta1/zz_attestor_types.go new file mode 100755 index 000000000..00659cd37 --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_attestor_types.go @@ -0,0 +1,210 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type AttestationAuthorityNoteObservation struct { + + // This field will contain the service account email address that + // this Attestor will use as the principal when querying Container + // Analysis. Attestor administrators must grant this service account + // the IAM role needed to read attestations from the noteReference in + // Container Analysis (containeranalysis.notes.occurrences.viewer). + // This email address is fixed for the lifetime of the Attestor, but + // callers should not make any other assumptions about the service + // account email; future versions may use an email based on a + // different naming pattern. + DelegationServiceAccountEmail *string `json:"delegationServiceAccountEmail,omitempty" tf:"delegation_service_account_email,omitempty"` +} + +type AttestationAuthorityNoteParameters struct { + + // The resource name of a ATTESTATION_AUTHORITY Note, created by the + // user. If the Note is in a different project from the Attestor, it + // should be specified in the format projects/*/notes/* (or the legacy + // providers/*/notes/*). This field may not be updated. + // An attestation by this attestor is stored as a Container Analysis + // ATTESTATION_AUTHORITY Occurrence that names a container image + // and that links to this Note. + // +crossplane:generate:reference:type=github.com/upbound/provider-gcp/apis/containeranalysis/v1beta1.Note + // +kubebuilder:validation:Optional + NoteReference *string `json:"noteReference,omitempty" tf:"note_reference,omitempty"` + + // Reference to a Note in containeranalysis to populate noteReference. + // +kubebuilder:validation:Optional + NoteReferenceRef *v1.Reference `json:"noteReferenceRef,omitempty" tf:"-"` + + // Selector for a Note in containeranalysis to populate noteReference. + // +kubebuilder:validation:Optional + NoteReferenceSelector *v1.Selector `json:"noteReferenceSelector,omitempty" tf:"-"` + + // Public keys that verify attestations signed by this attestor. This + // field may be updated. + // If this field is non-empty, one of the specified public keys must + // verify that an attestation was signed by this attestor for the + // image specified in the admission request. + // If this field is empty, this attestor always returns that no valid + // attestations exist. + // Structure is documented below. + // +kubebuilder:validation:Optional + PublicKeys []PublicKeysParameters `json:"publicKeys,omitempty" tf:"public_keys,omitempty"` +} + +type AttestorObservation struct { + + // A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. + // Structure is documented below. + // +kubebuilder:validation:Required + AttestationAuthorityNote []AttestationAuthorityNoteObservation `json:"attestationAuthorityNote,omitempty" tf:"attestation_authority_note,omitempty"` + + // an identifier for the resource with format projects/{{project}}/attestors/{{name}} + ID *string `json:"id,omitempty" tf:"id,omitempty"` +} + +type AttestorParameters struct { + + // A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. + // Structure is documented below. + // +kubebuilder:validation:Required + AttestationAuthorityNote []AttestationAuthorityNoteParameters `json:"attestationAuthorityNote" tf:"attestation_authority_note,omitempty"` + + // A descriptive comment. This field may be updated. The field may be + // displayed in chooser dialogs. + // +kubebuilder:validation:Optional + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // The ID of the project in which the resource belongs. + // If it is not provided, the provider project is used. + // +kubebuilder:validation:Optional + Project *string `json:"project,omitempty" tf:"project,omitempty"` +} + +type PkixPublicKeyObservation struct { +} + +type PkixPublicKeyParameters struct { + + // A PEM-encoded public key, as described in + // https://tools.ietf.org/html/rfc7468#section-13 + // +kubebuilder:validation:Optional + PublicKeyPem *string `json:"publicKeyPem,omitempty" tf:"public_key_pem,omitempty"` + + // The signature algorithm used to verify a message against + // a signature using this key. These signature algorithm must + // match the structure and any object identifiers encoded in + // publicKeyPem (i.e. this algorithm must match that of the + // public key). + // +kubebuilder:validation:Optional + SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"` +} + +type PublicKeysObservation struct { +} + +type PublicKeysParameters struct { + + // ASCII-armored representation of a PGP public key, as the + // entire output by the command + // gpg --export --armor foo@example.com (either LF or CRLF + // line endings). When using this field, id should be left + // blank. The BinAuthz API handlers will calculate the ID + // and fill it in automatically. BinAuthz computes this ID + // as the OpenPGP RFC4880 V4 fingerprint, represented as + // upper-case hex. If id is provided by the caller, it will + // be overwritten by the API-calculated ID. + // +kubebuilder:validation:Optional + ASCIIArmoredPgpPublicKey *string `json:"asciiArmoredPgpPublicKey,omitempty" tf:"ascii_armored_pgp_public_key,omitempty"` + + // A descriptive comment. This field may be updated. + // +kubebuilder:validation:Optional + Comment *string `json:"comment,omitempty" tf:"comment,omitempty"` + + // The ID of this public key. Signatures verified by BinAuthz + // must include the ID of the public key that can be used to + // verify them, and that ID must match the contents of this + // field exactly. Additional restrictions on this field can + // be imposed based on which public key type is encapsulated. + // See the documentation on publicKey cases below for details. + // +kubebuilder:validation:Optional + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // A raw PKIX SubjectPublicKeyInfo format public key. + // NOTE: id may be explicitly provided by the caller when using this + // type of public key, but it MUST be a valid RFC3986 URI. If id is left + // blank, a default one will be computed based on the digest of the DER + // encoding of the public key. + // Structure is documented below. + // +kubebuilder:validation:Optional + PkixPublicKey []PkixPublicKeyParameters `json:"pkixPublicKey,omitempty" tf:"pkix_public_key,omitempty"` +} + +// AttestorSpec defines the desired state of Attestor +type AttestorSpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider AttestorParameters `json:"forProvider"` +} + +// AttestorStatus defines the observed state of Attestor. +type AttestorStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider AttestorObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true + +// Attestor is the Schema for the Attestors API. An attestor that attests to container image artifacts. +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,gcp} +type Attestor struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec AttestorSpec `json:"spec"` + Status AttestorStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// AttestorList contains a list of Attestors +type AttestorList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Attestor `json:"items"` +} + +// Repository type metadata. +var ( + Attestor_Kind = "Attestor" + Attestor_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: Attestor_Kind}.String() + Attestor_KindAPIVersion = Attestor_Kind + "." + CRDGroupVersion.String() + Attestor_GroupVersionKind = CRDGroupVersion.WithKind(Attestor_Kind) +) + +func init() { + SchemeBuilder.Register(&Attestor{}, &AttestorList{}) +} diff --git a/apis/binaryauthorization/v1beta1/zz_generated.deepcopy.go b/apis/binaryauthorization/v1beta1/zz_generated.deepcopy.go new file mode 100644 index 000000000..7bccfe504 --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_generated.deepcopy.go @@ -0,0 +1,634 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdmissionWhitelistPatternsObservation) DeepCopyInto(out *AdmissionWhitelistPatternsObservation) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionWhitelistPatternsObservation. +func (in *AdmissionWhitelistPatternsObservation) DeepCopy() *AdmissionWhitelistPatternsObservation { + if in == nil { + return nil + } + out := new(AdmissionWhitelistPatternsObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdmissionWhitelistPatternsParameters) DeepCopyInto(out *AdmissionWhitelistPatternsParameters) { + *out = *in + if in.NamePattern != nil { + in, out := &in.NamePattern, &out.NamePattern + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionWhitelistPatternsParameters. +func (in *AdmissionWhitelistPatternsParameters) DeepCopy() *AdmissionWhitelistPatternsParameters { + if in == nil { + return nil + } + out := new(AdmissionWhitelistPatternsParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestationAuthorityNoteObservation) DeepCopyInto(out *AttestationAuthorityNoteObservation) { + *out = *in + if in.DelegationServiceAccountEmail != nil { + in, out := &in.DelegationServiceAccountEmail, &out.DelegationServiceAccountEmail + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestationAuthorityNoteObservation. +func (in *AttestationAuthorityNoteObservation) DeepCopy() *AttestationAuthorityNoteObservation { + if in == nil { + return nil + } + out := new(AttestationAuthorityNoteObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestationAuthorityNoteParameters) DeepCopyInto(out *AttestationAuthorityNoteParameters) { + *out = *in + if in.NoteReference != nil { + in, out := &in.NoteReference, &out.NoteReference + *out = new(string) + **out = **in + } + if in.NoteReferenceRef != nil { + in, out := &in.NoteReferenceRef, &out.NoteReferenceRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.NoteReferenceSelector != nil { + in, out := &in.NoteReferenceSelector, &out.NoteReferenceSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.PublicKeys != nil { + in, out := &in.PublicKeys, &out.PublicKeys + *out = make([]PublicKeysParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestationAuthorityNoteParameters. +func (in *AttestationAuthorityNoteParameters) DeepCopy() *AttestationAuthorityNoteParameters { + if in == nil { + return nil + } + out := new(AttestationAuthorityNoteParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Attestor) DeepCopyInto(out *Attestor) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestor. +func (in *Attestor) DeepCopy() *Attestor { + if in == nil { + return nil + } + out := new(Attestor) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Attestor) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestorList) DeepCopyInto(out *AttestorList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Attestor, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorList. +func (in *AttestorList) DeepCopy() *AttestorList { + if in == nil { + return nil + } + out := new(AttestorList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *AttestorList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestorObservation) DeepCopyInto(out *AttestorObservation) { + *out = *in + if in.AttestationAuthorityNote != nil { + in, out := &in.AttestationAuthorityNote, &out.AttestationAuthorityNote + *out = make([]AttestationAuthorityNoteObservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorObservation. +func (in *AttestorObservation) DeepCopy() *AttestorObservation { + if in == nil { + return nil + } + out := new(AttestorObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestorParameters) DeepCopyInto(out *AttestorParameters) { + *out = *in + if in.AttestationAuthorityNote != nil { + in, out := &in.AttestationAuthorityNote, &out.AttestationAuthorityNote + *out = make([]AttestationAuthorityNoteParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Project != nil { + in, out := &in.Project, &out.Project + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorParameters. +func (in *AttestorParameters) DeepCopy() *AttestorParameters { + if in == nil { + return nil + } + out := new(AttestorParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestorSpec) DeepCopyInto(out *AttestorSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorSpec. +func (in *AttestorSpec) DeepCopy() *AttestorSpec { + if in == nil { + return nil + } + out := new(AttestorSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AttestorStatus) DeepCopyInto(out *AttestorStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorStatus. +func (in *AttestorStatus) DeepCopy() *AttestorStatus { + if in == nil { + return nil + } + out := new(AttestorStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterAdmissionRulesObservation) DeepCopyInto(out *ClusterAdmissionRulesObservation) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionRulesObservation. +func (in *ClusterAdmissionRulesObservation) DeepCopy() *ClusterAdmissionRulesObservation { + if in == nil { + return nil + } + out := new(ClusterAdmissionRulesObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterAdmissionRulesParameters) DeepCopyInto(out *ClusterAdmissionRulesParameters) { + *out = *in + if in.Cluster != nil { + in, out := &in.Cluster, &out.Cluster + *out = new(string) + **out = **in + } + if in.EnforcementMode != nil { + in, out := &in.EnforcementMode, &out.EnforcementMode + *out = new(string) + **out = **in + } + if in.EvaluationMode != nil { + in, out := &in.EvaluationMode, &out.EvaluationMode + *out = new(string) + **out = **in + } + if in.RequireAttestationsBy != nil { + in, out := &in.RequireAttestationsBy, &out.RequireAttestationsBy + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionRulesParameters. +func (in *ClusterAdmissionRulesParameters) DeepCopy() *ClusterAdmissionRulesParameters { + if in == nil { + return nil + } + out := new(ClusterAdmissionRulesParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultAdmissionRuleObservation) DeepCopyInto(out *DefaultAdmissionRuleObservation) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultAdmissionRuleObservation. +func (in *DefaultAdmissionRuleObservation) DeepCopy() *DefaultAdmissionRuleObservation { + if in == nil { + return nil + } + out := new(DefaultAdmissionRuleObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultAdmissionRuleParameters) DeepCopyInto(out *DefaultAdmissionRuleParameters) { + *out = *in + if in.EnforcementMode != nil { + in, out := &in.EnforcementMode, &out.EnforcementMode + *out = new(string) + **out = **in + } + if in.EvaluationMode != nil { + in, out := &in.EvaluationMode, &out.EvaluationMode + *out = new(string) + **out = **in + } + if in.RequireAttestationsBy != nil { + in, out := &in.RequireAttestationsBy, &out.RequireAttestationsBy + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultAdmissionRuleParameters. +func (in *DefaultAdmissionRuleParameters) DeepCopy() *DefaultAdmissionRuleParameters { + if in == nil { + return nil + } + out := new(DefaultAdmissionRuleParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PkixPublicKeyObservation) DeepCopyInto(out *PkixPublicKeyObservation) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PkixPublicKeyObservation. +func (in *PkixPublicKeyObservation) DeepCopy() *PkixPublicKeyObservation { + if in == nil { + return nil + } + out := new(PkixPublicKeyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PkixPublicKeyParameters) DeepCopyInto(out *PkixPublicKeyParameters) { + *out = *in + if in.PublicKeyPem != nil { + in, out := &in.PublicKeyPem, &out.PublicKeyPem + *out = new(string) + **out = **in + } + if in.SignatureAlgorithm != nil { + in, out := &in.SignatureAlgorithm, &out.SignatureAlgorithm + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PkixPublicKeyParameters. +func (in *PkixPublicKeyParameters) DeepCopy() *PkixPublicKeyParameters { + if in == nil { + return nil + } + out := new(PkixPublicKeyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Policy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyList) DeepCopyInto(out *PolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Policy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList. +func (in *PolicyList) DeepCopy() *PolicyList { + if in == nil { + return nil + } + out := new(PolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) { + *out = *in + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation. +func (in *PolicyObservation) DeepCopy() *PolicyObservation { + if in == nil { + return nil + } + out := new(PolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyParameters) DeepCopyInto(out *PolicyParameters) { + *out = *in + if in.AdmissionWhitelistPatterns != nil { + in, out := &in.AdmissionWhitelistPatterns, &out.AdmissionWhitelistPatterns + *out = make([]AdmissionWhitelistPatternsParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClusterAdmissionRules != nil { + in, out := &in.ClusterAdmissionRules, &out.ClusterAdmissionRules + *out = make([]ClusterAdmissionRulesParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.DefaultAdmissionRule != nil { + in, out := &in.DefaultAdmissionRule, &out.DefaultAdmissionRule + *out = make([]DefaultAdmissionRuleParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.GlobalPolicyEvaluationMode != nil { + in, out := &in.GlobalPolicyEvaluationMode, &out.GlobalPolicyEvaluationMode + *out = new(string) + **out = **in + } + if in.Project != nil { + in, out := &in.Project, &out.Project + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyParameters. +func (in *PolicyParameters) DeepCopy() *PolicyParameters { + if in == nil { + return nil + } + out := new(PolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicySpec) DeepCopyInto(out *PolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec. +func (in *PolicySpec) DeepCopy() *PolicySpec { + if in == nil { + return nil + } + out := new(PolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus. +func (in *PolicyStatus) DeepCopy() *PolicyStatus { + if in == nil { + return nil + } + out := new(PolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PublicKeysObservation) DeepCopyInto(out *PublicKeysObservation) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKeysObservation. +func (in *PublicKeysObservation) DeepCopy() *PublicKeysObservation { + if in == nil { + return nil + } + out := new(PublicKeysObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PublicKeysParameters) DeepCopyInto(out *PublicKeysParameters) { + *out = *in + if in.ASCIIArmoredPgpPublicKey != nil { + in, out := &in.ASCIIArmoredPgpPublicKey, &out.ASCIIArmoredPgpPublicKey + *out = new(string) + **out = **in + } + if in.Comment != nil { + in, out := &in.Comment, &out.Comment + *out = new(string) + **out = **in + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.PkixPublicKey != nil { + in, out := &in.PkixPublicKey, &out.PkixPublicKey + *out = make([]PkixPublicKeyParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKeysParameters. +func (in *PublicKeysParameters) DeepCopy() *PublicKeysParameters { + if in == nil { + return nil + } + out := new(PublicKeysParameters) + in.DeepCopyInto(out) + return out +} diff --git a/apis/binaryauthorization/v1beta1/zz_generated.managed.go b/apis/binaryauthorization/v1beta1/zz_generated.managed.go new file mode 100644 index 000000000..7af1e83b1 --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_generated.managed.go @@ -0,0 +1,152 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this Attestor. +func (mg *Attestor) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this Attestor. +func (mg *Attestor) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetProviderConfigReference of this Attestor. +func (mg *Attestor) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +/* +GetProviderReference of this Attestor. +Deprecated: Use GetProviderConfigReference. +*/ +func (mg *Attestor) GetProviderReference() *xpv1.Reference { + return mg.Spec.ProviderReference +} + +// GetPublishConnectionDetailsTo of this Attestor. +func (mg *Attestor) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this Attestor. +func (mg *Attestor) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this Attestor. +func (mg *Attestor) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this Attestor. +func (mg *Attestor) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetProviderConfigReference of this Attestor. +func (mg *Attestor) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +/* +SetProviderReference of this Attestor. +Deprecated: Use SetProviderConfigReference. +*/ +func (mg *Attestor) SetProviderReference(r *xpv1.Reference) { + mg.Spec.ProviderReference = r +} + +// SetPublishConnectionDetailsTo of this Attestor. +func (mg *Attestor) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this Attestor. +func (mg *Attestor) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} + +// GetCondition of this Policy. +func (mg *Policy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this Policy. +func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetProviderConfigReference of this Policy. +func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +/* +GetProviderReference of this Policy. +Deprecated: Use GetProviderConfigReference. +*/ +func (mg *Policy) GetProviderReference() *xpv1.Reference { + return mg.Spec.ProviderReference +} + +// GetPublishConnectionDetailsTo of this Policy. +func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this Policy. +func (mg *Policy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this Policy. +func (mg *Policy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this Policy. +func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetProviderConfigReference of this Policy. +func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +/* +SetProviderReference of this Policy. +Deprecated: Use SetProviderConfigReference. +*/ +func (mg *Policy) SetProviderReference(r *xpv1.Reference) { + mg.Spec.ProviderReference = r +} + +// SetPublishConnectionDetailsTo of this Policy. +func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this Policy. +func (mg *Policy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/binaryauthorization/v1beta1/zz_generated.managedlist.go b/apis/binaryauthorization/v1beta1/zz_generated.managedlist.go new file mode 100644 index 000000000..ea4130163 --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_generated.managedlist.go @@ -0,0 +1,38 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this AttestorList. +func (l *AttestorList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} + +// GetItems of this PolicyList. +func (l *PolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/binaryauthorization/v1beta1/zz_generated.resolvers.go b/apis/binaryauthorization/v1beta1/zz_generated.resolvers.go new file mode 100644 index 000000000..71db52dfe --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_generated.resolvers.go @@ -0,0 +1,55 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + errors "github.com/pkg/errors" + v1beta1 "github.com/upbound/provider-gcp/apis/containeranalysis/v1beta1" + client "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ResolveReferences of this Attestor. +func (mg *Attestor) ResolveReferences(ctx context.Context, c client.Reader) error { + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + + for i3 := 0; i3 < len(mg.Spec.ForProvider.AttestationAuthorityNote); i3++ { + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.AttestationAuthorityNote[i3].NoteReference), + Extract: reference.ExternalName(), + Reference: mg.Spec.ForProvider.AttestationAuthorityNote[i3].NoteReferenceRef, + Selector: mg.Spec.ForProvider.AttestationAuthorityNote[i3].NoteReferenceSelector, + To: reference.To{ + List: &v1beta1.NoteList{}, + Managed: &v1beta1.Note{}, + }, + }) + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.AttestationAuthorityNote[i3].NoteReference") + } + mg.Spec.ForProvider.AttestationAuthorityNote[i3].NoteReference = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.AttestationAuthorityNote[i3].NoteReferenceRef = rsp.ResolvedReference + + } + + return nil +} diff --git a/apis/binaryauthorization/v1beta1/zz_generated_terraformed.go b/apis/binaryauthorization/v1beta1/zz_generated_terraformed.go new file mode 100755 index 000000000..928adbe8a --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_generated_terraformed.go @@ -0,0 +1,174 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + "github.com/pkg/errors" + + "github.com/upbound/upjet/pkg/resource" + "github.com/upbound/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Attestor +func (mg *Attestor) GetTerraformResourceType() string { + return "google_binary_authorization_attestor" +} + +// GetConnectionDetailsMapping for this Attestor +func (tr *Attestor) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Attestor +func (tr *Attestor) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Attestor +func (tr *Attestor) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Attestor +func (tr *Attestor) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Attestor +func (tr *Attestor) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Attestor +func (tr *Attestor) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// LateInitialize this Attestor using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Attestor) LateInitialize(attrs []byte) (bool, error) { + params := &AttestorParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Attestor) GetTerraformSchemaVersion() int { + return 0 +} + +// GetTerraformResourceType returns Terraform resource type for this Policy +func (mg *Policy) GetTerraformResourceType() string { + return "google_binary_authorization_policy" +} + +// GetConnectionDetailsMapping for this Policy +func (tr *Policy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Policy +func (tr *Policy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Policy +func (tr *Policy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Policy +func (tr *Policy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Policy +func (tr *Policy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Policy +func (tr *Policy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// LateInitialize this Policy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { + params := &PolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Policy) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/binaryauthorization/v1beta1/zz_groupversion_info.go b/apis/binaryauthorization/v1beta1/zz_groupversion_info.go new file mode 100755 index 000000000..fe38a94a6 --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_groupversion_info.go @@ -0,0 +1,44 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by upjet. DO NOT EDIT. + +// +kubebuilder:object:generate=true +// +groupName=binaryauthorization.gcp.upbound.io +// +versionName=v1beta1 +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + CRDGroup = "binaryauthorization.gcp.upbound.io" + CRDVersion = "v1beta1" +) + +var ( + // CRDGroupVersion is the API Group Version used to register the objects + CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/apis/binaryauthorization/v1beta1/zz_policy_types.go b/apis/binaryauthorization/v1beta1/zz_policy_types.go new file mode 100755 index 000000000..b2fbedb5e --- /dev/null +++ b/apis/binaryauthorization/v1beta1/zz_policy_types.go @@ -0,0 +1,192 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type AdmissionWhitelistPatternsObservation struct { +} + +type AdmissionWhitelistPatternsParameters struct { + + // An image name pattern to whitelist, in the form + // registry/path/to/image. This supports a trailing * as a + // wildcard, but this is allowed only in text after the registry/ + // part. + // +kubebuilder:validation:Required + NamePattern *string `json:"namePattern" tf:"name_pattern,omitempty"` +} + +type ClusterAdmissionRulesObservation struct { +} + +type ClusterAdmissionRulesParameters struct { + + // The identifier for this object. Format specified above. + // +kubebuilder:validation:Required + Cluster *string `json:"cluster" tf:"cluster,omitempty"` + + // The action when a pod creation is denied by the admission rule. + // Possible values are ENFORCED_BLOCK_AND_AUDIT_LOG and DRYRUN_AUDIT_LOG_ONLY. + // +kubebuilder:validation:Required + EnforcementMode *string `json:"enforcementMode" tf:"enforcement_mode,omitempty"` + + // How this admission rule will be evaluated. + // Possible values are ALWAYS_ALLOW, REQUIRE_ATTESTATION, and ALWAYS_DENY. + // +kubebuilder:validation:Required + EvaluationMode *string `json:"evaluationMode" tf:"evaluation_mode,omitempty"` + + // The resource names of the attestors that must attest to a + // container image. If the attestor is in a different project from the + // policy, it should be specified in the format projects/*/attestors/*. + // Each attestor must exist before a policy can reference it. To add an + // attestor to a policy the principal issuing the policy change + // request must be able to read the attestor resource. + // Note: this field must be non-empty when the evaluation_mode field + // specifies REQUIRE_ATTESTATION, otherwise it must be empty. + // +kubebuilder:validation:Optional + RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"` +} + +type DefaultAdmissionRuleObservation struct { +} + +type DefaultAdmissionRuleParameters struct { + + // The action when a pod creation is denied by the admission rule. + // Possible values are ENFORCED_BLOCK_AND_AUDIT_LOG and DRYRUN_AUDIT_LOG_ONLY. + // +kubebuilder:validation:Required + EnforcementMode *string `json:"enforcementMode" tf:"enforcement_mode,omitempty"` + + // How this admission rule will be evaluated. + // Possible values are ALWAYS_ALLOW, REQUIRE_ATTESTATION, and ALWAYS_DENY. + // +kubebuilder:validation:Required + EvaluationMode *string `json:"evaluationMode" tf:"evaluation_mode,omitempty"` + + // The resource names of the attestors that must attest to a + // container image. If the attestor is in a different project from the + // policy, it should be specified in the format projects/*/attestors/*. + // Each attestor must exist before a policy can reference it. To add an + // attestor to a policy the principal issuing the policy change + // request must be able to read the attestor resource. + // Note: this field must be non-empty when the evaluation_mode field + // specifies REQUIRE_ATTESTATION, otherwise it must be empty. + // +kubebuilder:validation:Optional + RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"` +} + +type PolicyObservation struct { + + // an identifier for the resource with format projects/{{project}} + ID *string `json:"id,omitempty" tf:"id,omitempty"` +} + +type PolicyParameters struct { + + // A whitelist of image patterns to exclude from admission rules. If an + // image's name matches a whitelist pattern, the image's admission + // requests will always be permitted regardless of your admission rules. + // Structure is documented below. + // +kubebuilder:validation:Optional + AdmissionWhitelistPatterns []AdmissionWhitelistPatternsParameters `json:"admissionWhitelistPatterns,omitempty" tf:"admission_whitelist_patterns,omitempty"` + + // Per-cluster admission rules. An admission rule specifies either that + // all container images used in a pod creation request must be attested + // to by one or more attestors, that all pod creations will be allowed, + // or that all pod creations will be denied. There can be at most one + // admission rule per cluster spec. + // +kubebuilder:validation:Optional + ClusterAdmissionRules []ClusterAdmissionRulesParameters `json:"clusterAdmissionRules,omitempty" tf:"cluster_admission_rules,omitempty"` + + // Default admission rule for a cluster without a per-cluster admission + // rule. + // Structure is documented below. + // +kubebuilder:validation:Required + DefaultAdmissionRule []DefaultAdmissionRuleParameters `json:"defaultAdmissionRule" tf:"default_admission_rule,omitempty"` + + // A descriptive comment. + // +kubebuilder:validation:Optional + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Controls the evaluation of a Google-maintained global admission policy + // for common system-level images. Images not covered by the global + // policy will be subject to the project admission policy. + // Possible values are ENABLE and DISABLE. + // +kubebuilder:validation:Optional + GlobalPolicyEvaluationMode *string `json:"globalPolicyEvaluationMode,omitempty" tf:"global_policy_evaluation_mode,omitempty"` + + // The ID of the project in which the resource belongs. + // If it is not provided, the provider project is used. + // +kubebuilder:validation:Optional + Project *string `json:"project,omitempty" tf:"project,omitempty"` +} + +// PolicySpec defines the desired state of Policy +type PolicySpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider PolicyParameters `json:"forProvider"` +} + +// PolicyStatus defines the observed state of Policy. +type PolicyStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider PolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true + +// Policy is the Schema for the Policys API. A policy for container image binary authorization. +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,gcp} +type Policy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec PolicySpec `json:"spec"` + Status PolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// PolicyList contains a list of Policys +type PolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Policy `json:"items"` +} + +// Repository type metadata. +var ( + Policy_Kind = "Policy" + Policy_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: Policy_Kind}.String() + Policy_KindAPIVersion = Policy_Kind + "." + CRDGroupVersion.String() + Policy_GroupVersionKind = CRDGroupVersion.WithKind(Policy_Kind) +) + +func init() { + SchemeBuilder.Register(&Policy{}, &PolicyList{}) +} diff --git a/apis/zz_register.go b/apis/zz_register.go index 982691129..fbf7b99f3 100755 --- a/apis/zz_register.go +++ b/apis/zz_register.go @@ -27,6 +27,7 @@ import ( v1beta1appengine "github.com/upbound/provider-gcp/apis/appengine/v1beta1" v1beta1bigquery "github.com/upbound/provider-gcp/apis/bigquery/v1beta1" v1beta1bigtable "github.com/upbound/provider-gcp/apis/bigtable/v1beta1" + v1beta1binaryauthorization "github.com/upbound/provider-gcp/apis/binaryauthorization/v1beta1" v1beta1cloudbuild "github.com/upbound/provider-gcp/apis/cloudbuild/v1beta1" v1beta1cloudfunctions "github.com/upbound/provider-gcp/apis/cloudfunctions/v1beta1" v1beta1cloudiot "github.com/upbound/provider-gcp/apis/cloudiot/v1beta1" @@ -79,6 +80,7 @@ func init() { v1beta1appengine.SchemeBuilder.AddToScheme, v1beta1bigquery.SchemeBuilder.AddToScheme, v1beta1bigtable.SchemeBuilder.AddToScheme, + v1beta1binaryauthorization.SchemeBuilder.AddToScheme, v1beta1cloudbuild.SchemeBuilder.AddToScheme, v1beta1cloudfunctions.SchemeBuilder.AddToScheme, v1beta1cloudiot.SchemeBuilder.AddToScheme, diff --git a/config/externalname.go b/config/externalname.go index 1e35a2375..b3e1d857d 100644 --- a/config/externalname.go +++ b/config/externalname.go @@ -694,6 +694,13 @@ var externalNameConfigs = map[string]config.ExternalName{ "google_apigee_instance": config.TemplatedStringAsIdentifier("name", "{{ .parameters.org_id }}/instances/{{ .external_name }}"), // Imported by using the following format: organizations/{{name}} "google_apigee_organization": config.IdentifierFromProvider, + + // binaryauthorization + // + // projects/{{project}}/attestors/{{name}} + "google_binary_authorization_attestor": config.TemplatedStringAsIdentifier("name", "projects/{{ .setup.configuration.project }}/attestors/{{ .external_name }}"), + // projects/{{project}} + "google_binary_authorization_policy": config.TemplatedStringAsIdentifier("", "projects/{{ .setup.configuration.project }}"), } // TemplatedStringAsIdentifierWithNoName uses TemplatedStringAsIdentifier but diff --git a/config/externalnamenottested.go b/config/externalnamenottested.go index 237aed48e..e97188971 100644 --- a/config/externalnamenottested.go +++ b/config/externalnamenottested.go @@ -35,16 +35,12 @@ var ExternalNameNotTestedConfigs = map[string]config.ExternalName{ // binaryauthorization // - // projects/{{project}}/attestors/{{name}} - "google_binary_authorization_attestor": config.TemplatedStringAsIdentifier("name", "projects/{{ .setup.configuration.project }}/attestors/{{ .external_name }}"), // projects/{{project}}/attestors/{{attestor}} roles/viewer "google_binary_authorization_attestor_iam_binding": config.TemplatedStringAsIdentifier("", "projects/{{ .setup.configuration.project }}/attestors/{{ .parameters.attestor }} {{ .parameters.role }}"), // projects/{{project}}/attestors/{{attestor}} roles/viewer user:jane@example.com "google_binary_authorization_attestor_iam_member": config.TemplatedStringAsIdentifier("", "projects/{{ .setup.configuration.project }}/attestors/{{ .parameters.attestor }} {{ .parameters.role }} {{ .parameters.member }}"), // projects/{{project}}/attestors/{{attestor}} "google_binary_authorization_attestor_iam_policy": config.TemplatedStringAsIdentifier("", "projects/{{ .setup.configuration.project }}/attestors/{{ .parameters.attestor }}"), - // projects/{{project}} - "google_binary_authorization_policy": config.TemplatedStringAsIdentifier("", "projects/{{ .setup.configuration.project }}"), // certificatemanager // diff --git a/examples-generated/binaryauthorization/attestor.yaml b/examples-generated/binaryauthorization/attestor.yaml new file mode 100644 index 000000000..d8d95fcac --- /dev/null +++ b/examples-generated/binaryauthorization/attestor.yaml @@ -0,0 +1,50 @@ +apiVersion: binaryauthorization.gcp.upbound.io/v1beta1 +kind: Attestor +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/attestor + labels: + testing.upbound.io/example-name: attestor + name: attestor +spec: + forProvider: + attestationAuthorityNote: + - noteReferenceSelector: + matchLabels: + testing.upbound.io/example-name: note + publicKeys: + - asciiArmoredPgpPublicKey: | + mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl + bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0 + oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6 + V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD + Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX + 83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y + IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L + uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6 + 0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC + 51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U + WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h + MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l + +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1 + qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg + =6Bvm + +--- + +apiVersion: containeranalysis.gcp.upbound.io/v1beta1 +kind: Note +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/attestor + labels: + testing.upbound.io/example-name: note + name: note +spec: + forProvider: + attestationAuthority: + - hint: + - humanReadableName: Attestor Note + +--- + diff --git a/examples-generated/binaryauthorization/policy.yaml b/examples-generated/binaryauthorization/policy.yaml new file mode 100644 index 000000000..38a2fa062 --- /dev/null +++ b/examples-generated/binaryauthorization/policy.yaml @@ -0,0 +1,57 @@ +apiVersion: binaryauthorization.gcp.upbound.io/v1beta1 +kind: Policy +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/policy + labels: + testing.upbound.io/example-name: policy + name: policy +spec: + forProvider: + admissionWhitelistPatterns: + - namePattern: gcr.io/google_containers/* + clusterAdmissionRules: + - cluster: us-central1-a.prod-cluster + enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG + evaluationMode: REQUIRE_ATTESTATION + requireAttestationsBy: + - ${google_binary_authorization_attestor.attestor.name} + defaultAdmissionRule: + - enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG + evaluationMode: ALWAYS_ALLOW + +--- + +apiVersion: binaryauthorization.gcp.upbound.io/v1beta1 +kind: Attestor +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/policy + labels: + testing.upbound.io/example-name: attestor + name: attestor +spec: + forProvider: + attestationAuthorityNote: + - noteReferenceSelector: + matchLabels: + testing.upbound.io/example-name: note + +--- + +apiVersion: containeranalysis.gcp.upbound.io/v1beta1 +kind: Note +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/policy + labels: + testing.upbound.io/example-name: note + name: note +spec: + forProvider: + attestationAuthority: + - hint: + - humanReadableName: My attestor + +--- + diff --git a/examples/binaryauthorization/attestor.yaml b/examples/binaryauthorization/attestor.yaml new file mode 100644 index 000000000..5c4d9ea70 --- /dev/null +++ b/examples/binaryauthorization/attestor.yaml @@ -0,0 +1,47 @@ +apiVersion: binaryauthorization.gcp.upbound.io/v1beta1 +kind: Attestor +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/attestor + labels: + testing.upbound.io/example-name: attestor + name: attestor +spec: + forProvider: + attestationAuthorityNote: + - noteReferenceSelector: + matchLabels: + testing.upbound.io/example-name: note + publicKeys: + - asciiArmoredPgpPublicKey: | + mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl + bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0 + oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6 + V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD + Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX + 83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y + IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L + uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6 + 0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC + 51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U + WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h + MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l + +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1 + qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg + =6Bvm + +--- + +apiVersion: containeranalysis.gcp.upbound.io/v1beta1 +kind: Note +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/attestor + labels: + testing.upbound.io/example-name: note + name: note +spec: + forProvider: + attestationAuthority: + - hint: + - humanReadableName: Attestor Note \ No newline at end of file diff --git a/examples/binaryauthorization/policy.yaml b/examples/binaryauthorization/policy.yaml new file mode 100644 index 000000000..a982c069f --- /dev/null +++ b/examples/binaryauthorization/policy.yaml @@ -0,0 +1,54 @@ +apiVersion: binaryauthorization.gcp.upbound.io/v1beta1 +kind: Policy +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/policy + labels: + testing.upbound.io/example-name: policy + name: policy +spec: + forProvider: + admissionWhitelistPatterns: + - namePattern: gcr.io/google_containers/* + clusterAdmissionRules: + - cluster: us-central1-a.prod-cluster + enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG + evaluationMode: REQUIRE_ATTESTATION + requireAttestationsBy: + - attestor + defaultAdmissionRule: + - enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG + evaluationMode: ALWAYS_ALLOW + +--- + +apiVersion: binaryauthorization.gcp.upbound.io/v1beta1 +kind: Attestor +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/policy + labels: + testing.upbound.io/example-name: attestor + name: attestor +spec: + forProvider: + attestationAuthorityNote: + - noteReferenceSelector: + matchLabels: + testing.upbound.io/example-name: note + +--- + +apiVersion: containeranalysis.gcp.upbound.io/v1beta1 +kind: Note +metadata: + annotations: + meta.upbound.io/example-id: binaryauthorization/v1beta1/policy + labels: + testing.upbound.io/example-name: note + name: note +spec: + forProvider: + attestationAuthority: + - hint: + - humanReadableName: My attestor \ No newline at end of file diff --git a/internal/controller/binaryauthorization/attestor/zz_controller.go b/internal/controller/binaryauthorization/attestor/zz_controller.go new file mode 100755 index 000000000..4039b3cb6 --- /dev/null +++ b/internal/controller/binaryauthorization/attestor/zz_controller.go @@ -0,0 +1,64 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package attestor + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + tjcontroller "github.com/upbound/upjet/pkg/controller" + "github.com/upbound/upjet/pkg/terraform" + ctrl "sigs.k8s.io/controller-runtime" + + v1beta1 "github.com/upbound/provider-gcp/apis/binaryauthorization/v1beta1" +) + +// Setup adds a controller that reconciles Attestor managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1beta1.Attestor_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK)) + } + r := managed.NewReconciler(mgr, + xpresource.ManagedKind(v1beta1.Attestor_GroupVersionKind), + managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["google_binary_authorization_attestor"], + tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Attestor_GroupVersionKind))), + )), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3*time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + ) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + For(&v1beta1.Attestor{}). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/binaryauthorization/policy/zz_controller.go b/internal/controller/binaryauthorization/policy/zz_controller.go new file mode 100755 index 000000000..b2be69440 --- /dev/null +++ b/internal/controller/binaryauthorization/policy/zz_controller.go @@ -0,0 +1,64 @@ +/* +Copyright 2021 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package policy + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + tjcontroller "github.com/upbound/upjet/pkg/controller" + "github.com/upbound/upjet/pkg/terraform" + ctrl "sigs.k8s.io/controller-runtime" + + v1beta1 "github.com/upbound/provider-gcp/apis/binaryauthorization/v1beta1" +) + +// Setup adds a controller that reconciles Policy managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1beta1.Policy_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK)) + } + r := managed.NewReconciler(mgr, + xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), + managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["google_binary_authorization_policy"], + tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))), + )), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3*time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + ) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + For(&v1beta1.Policy{}). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/zz_setup.go b/internal/controller/zz_setup.go index 4655e25dd..3340980f7 100755 --- a/internal/controller/zz_setup.go +++ b/internal/controller/zz_setup.go @@ -43,6 +43,8 @@ import ( tableiambindingbigtable "github.com/upbound/provider-gcp/internal/controller/bigtable/tableiambinding" tableiammemberbigtable "github.com/upbound/provider-gcp/internal/controller/bigtable/tableiammember" tableiampolicybigtable "github.com/upbound/provider-gcp/internal/controller/bigtable/tableiampolicy" + attestor "github.com/upbound/provider-gcp/internal/controller/binaryauthorization/attestor" + policy "github.com/upbound/provider-gcp/internal/controller/binaryauthorization/policy" trigger "github.com/upbound/provider-gcp/internal/controller/cloudbuild/trigger" workerpool "github.com/upbound/provider-gcp/internal/controller/cloudbuild/workerpool" function "github.com/upbound/provider-gcp/internal/controller/cloudfunctions/function" @@ -173,7 +175,7 @@ import ( page "github.com/upbound/provider-gcp/internal/controller/dialogflowcx/page" version "github.com/upbound/provider-gcp/internal/controller/dialogflowcx/version" managedzone "github.com/upbound/provider-gcp/internal/controller/dns/managedzone" - policy "github.com/upbound/provider-gcp/internal/controller/dns/policy" + policydns "github.com/upbound/provider-gcp/internal/controller/dns/policy" recordset "github.com/upbound/provider-gcp/internal/controller/dns/recordset" contact "github.com/upbound/provider-gcp/internal/controller/essentialcontacts/contact" triggereventarc "github.com/upbound/provider-gcp/internal/controller/eventarc/trigger" @@ -289,6 +291,8 @@ func Setup(mgr ctrl.Manager, o controller.Options) error { tableiambindingbigtable.Setup, tableiammemberbigtable.Setup, tableiampolicybigtable.Setup, + attestor.Setup, + policy.Setup, trigger.Setup, workerpool.Setup, function.Setup, @@ -419,7 +423,7 @@ func Setup(mgr ctrl.Manager, o controller.Options) error { page.Setup, version.Setup, managedzone.Setup, - policy.Setup, + policydns.Setup, recordset.Setup, contact.Setup, triggereventarc.Setup, diff --git a/package/crds/binaryauthorization.gcp.upbound.io_attestors.yaml b/package/crds/binaryauthorization.gcp.upbound.io_attestors.yaml new file mode 100644 index 000000000..1f7b866f3 --- /dev/null +++ b/package/crds/binaryauthorization.gcp.upbound.io_attestors.yaml @@ -0,0 +1,480 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: attestors.binaryauthorization.gcp.upbound.io +spec: + group: binaryauthorization.gcp.upbound.io + names: + categories: + - crossplane + - managed + - gcp + kind: Attestor + listKind: AttestorList + plural: attestors + singular: attestor + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Attestor is the Schema for the Attestors API. An attestor that + attests to container image artifacts. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AttestorSpec defines the desired state of Attestor + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + attestationAuthorityNote: + description: A Container Analysis ATTESTATION_AUTHORITY Note, + created by the user. Structure is documented below. + items: + properties: + noteReference: + description: The resource name of a ATTESTATION_AUTHORITY + Note, created by the user. If the Note is in a different + project from the Attestor, it should be specified in the + format projects/*/notes/* (or the legacy providers/*/notes/*). + This field may not be updated. An attestation by this + attestor is stored as a Container Analysis ATTESTATION_AUTHORITY + Occurrence that names a container image and that links + to this Note. + type: string + noteReferenceRef: + description: Reference to a Note in containeranalysis to + populate noteReference. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution + of this reference is required. The default is + 'Required', which means the reconcile will fail + if the reference cannot be resolved. 'Optional' + means this reference will be a no-op if it cannot + be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference + should be resolved. The default is 'IfNotPresent', + which will attempt to resolve the reference only + when the corresponding field is not present. Use + 'Always' to resolve the reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + noteReferenceSelector: + description: Selector for a Note in containeranalysis to + populate noteReference. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with + the same controller reference as the selecting object + is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching + labels is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution + of this reference is required. The default is + 'Required', which means the reconcile will fail + if the reference cannot be resolved. 'Optional' + means this reference will be a no-op if it cannot + be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference + should be resolved. The default is 'IfNotPresent', + which will attempt to resolve the reference only + when the corresponding field is not present. Use + 'Always' to resolve the reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + publicKeys: + description: Public keys that verify attestations signed + by this attestor. This field may be updated. If this field + is non-empty, one of the specified public keys must verify + that an attestation was signed by this attestor for the + image specified in the admission request. If this field + is empty, this attestor always returns that no valid attestations + exist. Structure is documented below. + items: + properties: + asciiArmoredPgpPublicKey: + description: ASCII-armored representation of a PGP + public key, as the entire output by the command + gpg --export --armor foo@example.com (either LF + or CRLF line endings). When using this field, id + should be left blank. The BinAuthz API handlers + will calculate the ID and fill it in automatically. + BinAuthz computes this ID as the OpenPGP RFC4880 + V4 fingerprint, represented as upper-case hex. If + id is provided by the caller, it will be overwritten + by the API-calculated ID. + type: string + comment: + description: A descriptive comment. This field may + be updated. + type: string + id: + description: The ID of this public key. Signatures + verified by BinAuthz must include the ID of the + public key that can be used to verify them, and + that ID must match the contents of this field exactly. + Additional restrictions on this field can be imposed + based on which public key type is encapsulated. + See the documentation on publicKey cases below for + details. + type: string + pkixPublicKey: + description: 'A raw PKIX SubjectPublicKeyInfo format + public key. NOTE: id may be explicitly provided + by the caller when using this type of public key, + but it MUST be a valid RFC3986 URI. If id is left + blank, a default one will be computed based on the + digest of the DER encoding of the public key. Structure + is documented below.' + items: + properties: + publicKeyPem: + description: A PEM-encoded public key, as described + in https://tools.ietf.org/html/rfc7468#section-13 + type: string + signatureAlgorithm: + description: The signature algorithm used to + verify a message against a signature using + this key. These signature algorithm must match + the structure and any object identifiers encoded + in publicKeyPem (i.e. this algorithm must + match that of the public key). + type: string + type: object + type: array + type: object + type: array + type: object + type: array + description: + description: A descriptive comment. This field may be updated. + The field may be displayed in chooser dialogs. + type: string + project: + description: The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + type: string + required: + - attestationAuthorityNote + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: AttestorStatus defines the observed state of Attestor. + properties: + atProvider: + properties: + attestationAuthorityNote: + description: A Container Analysis ATTESTATION_AUTHORITY Note, + created by the user. Structure is documented below. + items: + properties: + delegationServiceAccountEmail: + description: This field will contain the service account + email address that this Attestor will use as the principal + when querying Container Analysis. Attestor administrators + must grant this service account the IAM role needed to + read attestations from the noteReference in Container + Analysis (containeranalysis.notes.occurrences.viewer). + This email address is fixed for the lifetime of the Attestor, + but callers should not make any other assumptions about + the service account email; future versions may use an + email based on a different naming pattern. + type: string + type: object + type: array + id: + description: an identifier for the resource with format projects/{{project}}/attestors/{{name}} + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/package/crds/binaryauthorization.gcp.upbound.io_policies.yaml b/package/crds/binaryauthorization.gcp.upbound.io_policies.yaml new file mode 100644 index 000000000..33123f847 --- /dev/null +++ b/package/crds/binaryauthorization.gcp.upbound.io_policies.yaml @@ -0,0 +1,400 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: policies.binaryauthorization.gcp.upbound.io +spec: + group: binaryauthorization.gcp.upbound.io + names: + categories: + - crossplane + - managed + - gcp + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the Policys API. A policy for container + image binary authorization. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec defines the desired state of Policy + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + admissionWhitelistPatterns: + description: A whitelist of image patterns to exclude from admission + rules. If an image's name matches a whitelist pattern, the image's + admission requests will always be permitted regardless of your + admission rules. Structure is documented below. + items: + properties: + namePattern: + description: An image name pattern to whitelist, in the + form registry/path/to/image. This supports a trailing + * as a wildcard, but this is allowed only in text after + the registry/ part. + type: string + required: + - namePattern + type: object + type: array + clusterAdmissionRules: + description: Per-cluster admission rules. An admission rule specifies + either that all container images used in a pod creation request + must be attested to by one or more attestors, that all pod creations + will be allowed, or that all pod creations will be denied. There + can be at most one admission rule per cluster spec. + items: + properties: + cluster: + description: The identifier for this object. Format specified + above. + type: string + enforcementMode: + description: The action when a pod creation is denied by + the admission rule. Possible values are ENFORCED_BLOCK_AND_AUDIT_LOG + and DRYRUN_AUDIT_LOG_ONLY. + type: string + evaluationMode: + description: How this admission rule will be evaluated. + Possible values are ALWAYS_ALLOW, REQUIRE_ATTESTATION, + and ALWAYS_DENY. + type: string + requireAttestationsBy: + description: 'The resource names of the attestors that must + attest to a container image. If the attestor is in a different + project from the policy, it should be specified in the + format projects/*/attestors/*. Each attestor must exist + before a policy can reference it. To add an attestor to + a policy the principal issuing the policy change request + must be able to read the attestor resource. Note: this + field must be non-empty when the evaluation_mode field + specifies REQUIRE_ATTESTATION, otherwise it must be empty.' + items: + type: string + type: array + required: + - cluster + - enforcementMode + - evaluationMode + type: object + type: array + defaultAdmissionRule: + description: Default admission rule for a cluster without a per-cluster + admission rule. Structure is documented below. + items: + properties: + enforcementMode: + description: The action when a pod creation is denied by + the admission rule. Possible values are ENFORCED_BLOCK_AND_AUDIT_LOG + and DRYRUN_AUDIT_LOG_ONLY. + type: string + evaluationMode: + description: How this admission rule will be evaluated. + Possible values are ALWAYS_ALLOW, REQUIRE_ATTESTATION, + and ALWAYS_DENY. + type: string + requireAttestationsBy: + description: 'The resource names of the attestors that must + attest to a container image. If the attestor is in a different + project from the policy, it should be specified in the + format projects/*/attestors/*. Each attestor must exist + before a policy can reference it. To add an attestor to + a policy the principal issuing the policy change request + must be able to read the attestor resource. Note: this + field must be non-empty when the evaluation_mode field + specifies REQUIRE_ATTESTATION, otherwise it must be empty.' + items: + type: string + type: array + required: + - enforcementMode + - evaluationMode + type: object + type: array + description: + description: A descriptive comment. + type: string + globalPolicyEvaluationMode: + description: Controls the evaluation of a Google-maintained global + admission policy for common system-level images. Images not + covered by the global policy will be subject to the project + admission policy. Possible values are ENABLE and DISABLE. + type: string + project: + description: The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + type: string + required: + - defaultAdmissionRule + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: PolicyStatus defines the observed state of Policy. + properties: + atProvider: + properties: + id: + description: an identifier for the resource with format projects/{{project}} + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: []